4

If i have an Area in my ASP.NET MVC 3 (Razor) Web application, where all controllers derive from a base controller that looks like this:

[Authorize(Roles="Administrator")]
public class AdminController : Controller
{

}

When a non-administrator tries to access a URL in that area, they get redirected to the login page specified in the web.config.

But this doesn't really make sense if the user is already authenticated, but not an administrator. In that scenario, shouldn't we be returned a HTTP 401?

My question is basically how do people handle this - do they create custom authorize attributes?

RPM1984
  • 72,246
  • 58
  • 225
  • 350
  • have voted this to close - as i found another exact question: http://stackoverflow.com/questions/238437/why-does-authorizeattribute-redirect-to-the-login-page-for-authentication-and-aut. Although that was 2 years ago - is it still the same problem? – RPM1984 Apr 21 '11 at 04:51
  • Yes, same problem. BTW, you could always write your own Authorize and have it throw an `HttpException` with the 401 in it. – Esteban Araya Apr 21 '11 at 05:15

4 Answers4

2

See this thread ... ASP.Net converts 401 to 302 error codes

What you really want to do is return a 403 code. 401 is intended for authentication challenges. ASP.NET forms authorization intercepts 401 and pushes users to the login page.

If you still want to do a 401, could you describe what is the expected experience for the end user?

Community
  • 1
  • 1
Naraen
  • 3,240
  • 2
  • 22
  • 20
1

I work with ASP.NET MVC4 Beta and today I noticed that if I add ReturnUrl parameter to querystring, the forms module doesn't change the response.

So if action i/Rate has attribute [Authorize] then

<a href="/xm/i/Rate?pid=3&amp;count=2&amp;ReturnUrl=%2F">..</a>

returns 401. I don't know if it is bug, or feature, but now it works as described.

stej
  • 28,745
  • 11
  • 71
  • 104
  • Sounds like a bug to me - I just perfectly innocently added ReturnUrl to a URL that needed authorisation and I got a 401 - your answer helps me - thanks! – Gaz Dec 06 '13 at 22:54
  • I'm glad that my comment helped ;) – stej Dec 10 '13 at 13:44
0

we have custom authorize filter attribute for such scenarios and we take user to custom error page 

public void OnAuthorization(AuthorizationContext filterContext) {


if(//user does not have permission){

filterContext.Result = new RedirectResult("/Error/AccessDenied");

}
Muhammad Adeel Zahid
  • 17,474
  • 14
  • 90
  • 155
  • 1
    Yeah i thought of that, but i don't really want to return a page. I want to return a HTTP 401 (via IIS) – RPM1984 Apr 21 '11 at 04:47
0

If an unauthorized user tries to access a method that is marked with the Authorize attribute, the MVC framework returns a 401 HTTP status code. If the site is configured to use ASP.NET forms authentication, the 401 status code causes the browser to redirect the user to the login page.

Refrence:http://msdn.microsoft.com/zh-tw/library/system.web.mvc.authorizeattribute.aspx

Other similar question: How to intercept 401 from Forms Authentication in ASP.NET MVC?

Community
  • 1
  • 1
Maidot
  • 386
  • 4
  • 11
  • 1
    Yes, i want the 401, but i don't want the redirect. They shouldn't be taken to the login page if they're already authenticated, but not authorized. – RPM1984 Apr 21 '11 at 04:48